We're all about privacy
-
A while ago, I sent someone money using Western Union. For those of who don't know, Western Union is a very big name (in the US, at least; I don't know about elsewhere), frequently regarded as the archetype of money transfer services.
Not long ago, I got this (fairly typical) e-mail from them:
Dear Western Union consumer:
Thank you for using Western Union!
We want you to know that Western Union treats consumer privacy as a serious issue. To review our Privacy Statement, simply click here. We encourage you to take a moment to review this Statement and to become familiar with it. You may review and change your personal information and privacy preferences at any time by logging into your online account.
Thank you again for using westernunion.com. We greatly appreciate your business.
Okay, that's nice. But I noticed something underneath. I have Mozilla set to never load external images in HTML e-mail, so at the bottom of the message is a "broken image" icon (meaning, an unloaded image). So I bring up the source and I find this:<IMG src="http://portal.mxlogic.com/images/transparent.gif">
Yeah, a web bug. A means of tracking when (and from where) recipients have read the e-mail. Embedded in an e-mail pledging to honor privacy. Sent from a company whose business model depends heavily on its reputation for being trustworthy.
-
This one almost screams out for a letter to be written to the powers that be over at Western Union describing exactly the implications you are stating here.
Perhaps a letter to the editor or something to that effect to MSNBC also.
-
Honestly I'd bet that over 30% of the money that goes through Western Union is online scam/fraud/money laundering. They don't give a crap and so far haven't done anything about it. The company is completely corrupt when it comes to management, and trustworthy is hardly a word I'd ever use to describe them.
-
[quote user="Thalagyrt"]Honestly I'd bet that over 30% of the money that goes through Western Union is online scam/fraud/money laundering. They don't give a crap and so far haven't done anything about it. The company is completely corrupt when it comes to management, and trustworthy is hardly a word I'd ever use to describe them.[/quote]
You know, you are probably right. The No Trade list published by the US govt. tells every financial institution who not to do business with. Enforcement of this list would seem to be an nearly impossible task until you realize that the enforcement is done by the financial institutions themselves.
It basically works like this, if you find a transaction originating from or routing to a name/organization on that list, nform the government and every handler of that transaction prior to the discovery is fined $10,000 USD. No company wants to be part of that fine so they all check and report. Notice this works because there are multiple handlers of the transaction.
The problem with Western Union is that they are both the originator and the final distributer of that transaction so no one else can double check them. Since no other hands are in the transaction, if Western Union doesn't check, then no one will; with this in mind, yes, it is the perfect vessel for scam/fraud/laundering. This also gives us the reason why they hold privacy to such high regard, if they didn't, someone might be able to check behind them.
-
While the web bug thing is a bit disturbing, I do have to give Western Union kudos for contacting me when someone was trying to rip off my credit card. I don't know how the person ever got a hold of my cc (too many online purchases) but a call from WU was all it took to quickly cancel that cc. Hopefully I'm never in a situation where I need WU services (and I'm pretty sure their fees are exorbitant) but at least they're not so corrupt they take fraudulent charges and let the consumer deal with it after the fact.
-
That's not much of a web bug. Generally and email web bug needs to contain a unique identifier in order to match up with the email address it was sent to (that is also in the wikipedia link you provided).
Are you sure they aren't using the transparent gif for layout purposes?
-
And hosting it at a third party? That is a WTF on its own.
I'm also not sure how exactly they manage to identify the message and recipient only from this bug, but given that MX Logic is an independent company specializing (among other things) in mail surveillance, anything hosted on their domain has no business being invisibly loaded in a confidential email.
-
[quote user="smbell"]
Are you sure they aren't using the transparent gif for layout purposes?
[/quote]
It is at the very end of the document. In fact, it appears after the closing </BODY> tag and before the closing </HTML> tag, for some reason.
-
Since it doesn't have a unique identifier, it can't do much to track you. But it might be used by the marketing company that sent it out on Western Union's behalf to count how many emails get through and thus know what to charge Western Union. It's still not nice though.
-
Bizarrely, the link to western union's privacy policy redirects through ad.doubleclick.com (which I blocked, so I don't know if it goes back). Anyway, I don't think the OP understands the purpose of (You-Have-No-)Privacy Policies. "pledging to honor privacy"? "reputation for being trustworthy"? Please. Western Union's is totally typical:
We collect Information you supply when: (a) you ask us or one of our affiliates to send or receive money or to provide other goods or services; (b) you submit Information on applications or other forms to us or our affiliates; or (c) you otherwise submit Information to us, our affiliates or others; 
We collect Information about your transactions with us, our affiliates or others; We may collect Information about you from a variety of third party sources such as our business clients, government agencies and consumer reporting agencies and other suppliers of information; and We collect Information about your online activity as described in the paragraph below titled "INTERNET TECHNOLOGY" together .... etc...
we may disclose the Information we collect in the paragraphs titled, "INFORMATION WE COLLECT" and "INTERNET TECHNOLOGY" to our affiliates and to unaffiliated third parties as described below.
We may disclose Information about current and former consumers and customers to the following types of third parties:
1. Financial service providers such as Western Union Agents that offer our services;
2. Banks, credit card companies, brokerage houses, mortgage lenders and mortgage originators;
3. Non-financial companies such as retailers, direct marketers and other providers of goods and services;
4. Government agencies; and
5. As permitted or required by law.We may also disclose Information to companies that perform marketing services for us or other financial institutions with whom we have joint marketing arrangements
"We will store everything we can possible get on you, and give it out like candy for a few pennies to everyone we can. And any government entity that feels like asking about you."
Right. "Trust."
-
[quote user="VGR"]
So I bring up the source and I find this:
<IMG src="http://portal.mxlogic.com/images/transparent.gif">
Yeah, a web bug. A means of tracking when (and from where) recipients have read the e-mail. Embedded in an e-mail pledging to honor privacy. Sent from a company whose business model depends heavily on its reputation for being trustworthy.
[/quote]
Assuming that's exactly the source that you found, the most that the company could possibly be recording is:
* your IP address
* the time at which you read the email
* the email client that you used to read it with
* from your IP address, they can try to get the name of your ISP and your approximate location (ie my IP address will tell you that I'm in London in the UK), but this may not be possible (especially the geographic location)
That's it - they can't get your name, your email address, your user id or anything like that. Yes it's ironic, but it's hardly a privacy violation, you reveal that much every time you request an internet resource.
Surfing to http://mxlogic.com reveals that the domain is owned by an email hosting and management service; as another poster already opined, it may be a way of counting the number of emails that were read (although for charging purposes, they'd surely count the number *sent*). On the other hand, Hanlon's Razor suggests that it may well be a mistake, especially as it's outside the body tag; my money would be on it being a copy/paste error.
-
[quote user="VGR"]It is at the very end of the document. In fact, it appears after the closing </BODY> tag and before the closing </HTML> tag, for some reason.[/quote]
Then surely it would be ignored - the image can't be displayed, so why download it?
-
-
Every privacy policy boils down to "We will never release personal information about you unless permitted by law."
----
I will never lie to you unless permitted by law.
-
[quote user="Otterdam"]
[quote user="VGR"]It is at the very end of the document. In fact, it appears after the closing </BODY> tag and before the closing </HTML> tag, for some reason.[/quote]
Then surely it would be ignored - the image can't be displayed, so why download it?
[/quote]
Outlook.
-
[quote user="Cloaked User"]
Assuming that's exactly the source that you found, the most that the company could possibly be recording is:
* your IP address
* the time at which you read the email
* the email client that you used to read it with
* from your IP address, they can try to get the name of your ISP and your approximate location (ie my IP address will tell you that I'm in London in the UK), but this may not be possible (especially the geographic location)
[/quote]
Usually all they really want is "is it a live address?" If it is, it goes on their mailing lists. It's just a poor man's implementation of read receipts.
-
[quote user="VGR"]
A while ago, I sent someone money using Western Union. For those of who don't know, Western Union is a very big name (in the US, at least; I don't know about elsewhere), frequently regarded as the archetype of money transfer services.
Not long ago, I got this (fairly typical) e-mail from them:
Dear Western Union consumer:
Thank you for using Western Union!
We want you to know that Western Union treats consumer privacy as a serious issue. To review our Privacy Statement, simply click here. We encourage you to take a moment to review this Statement and to become familiar with it. You may review and change your personal information and privacy preferences at any time by logging into your online account.
Thank you again for using westernunion.com. We greatly appreciate your business.
Okay, that's nice. But I noticed something underneath. I have Mozilla set to never load external images in HTML e-mail, so at the bottom of the message is a "broken image" icon (meaning, an unloaded image). So I bring up the source and I find this:<IMG src="http://portal.mxlogic.com/images/transparent.gif">
Yeah, a web bug. A means of tracking when (and from where) recipients have read the e-mail. Embedded in an e-mail pledging to honor privacy. Sent from a company whose business model depends heavily on its reputation for being trustworthy.
[/quote]
You've just inadvertantly shown me how to determine who is looking at my myspace page. Must... fight... desire... to... use... this...
-
Update: I just got an e-mail from GEICO with exactly the same bug at the end of the message. (This time it's inside the <body> element.) I guess mxlogic.com is growing.
-
@Thalagyrt said:
Honestly I'd bet that over 30% of the money that goes through Western Union is online scam/fraud/money laundering.
And another 65% is used for sending money "back home" (Mexico, South America, wherever). Go anywhere where there's a large (illegal) immigrant population. The Western Union counter always has a line. sigh
I've used the service twice: Once to send money to my mortgage company when they were about to foreclose a few years ago and another time to send money to my brother when he was in the Army.
-
Did you notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX">westernunion.com</a>. We greatly appreciate your business.
-
Did anyone notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX" mce_href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX">westernunion.com</a>. We greatly appreciate your business.
-
Can someone please delete my previous message?
-
hahabestforumsoftwareever
-
Woah..
This forum software screwup is front page worthy
-
Way to go newfweiler, you broke the thread. Has anyone emailed Alex so he can look at it and send a bug report to Telligent?
-
-
@newfweiler said:
Did you notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX">westernunion.com</a>. We greatly appreciate your business.trying to quote newfweiler
i wonder what may happen.....
-
@Tatiano said:
@newfweiler said:
Did you notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX">westernunion.com</a>. We greatly appreciate your business.trying to quote newfweiler
i wonder what may happen.....
nothing... i guess...
=/
-
@Tatiano said:
@Tatiano said:
@newfweiler said:
Did you notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX%22%3Ewesternunion.com%3C/a>. We greatly appreciate your business.trying to quote newfweiler
i wonder what may happen.....
nothing... i guess...
=/
Really, I don't know what I did to break this. I tried to replicate it but could not.
-
@newfweiler said:
@Tatiano said:
@Tatiano said:
@newfweiler said:
Did you notice this?
Thank you again for using <a href="http://mailings.westernunion.com/cgi-bin24/DM/y/nbk60UbU6s0Il20BITp0EX%22%3Ewesternunion.com%3C/a>. We greatly appreciate your business.trying to quote newfweiler
i wonder what may happen.....
nothing... i guess...
=/
Really, I don't know what I did to break this. I tried to replicate it but could not.
*gak*
*awk*
*aghk*
*SPLUT*
Perhaps you can break the forum in this when you select fom the thread, including the buttons, then paste it into the editbox.
-
Anyway, I tried to show the privacy policy "click here" tag, which somehow broke the forum. If you look at the URL for the "To review our Privacy Statement, simply click here", it contains some Base64 code that probably identifies you, so they know who looked at the Privacy Statement.
-
The forums software somehow mangles the HTML a href that you posted, since I have no faith in the forum's ability to display said problematic code, here's a link to it. The code from that line up to (and including) the next line with a ' (single quote mark) in it is somehow invalid, causing the rest of the page's HTML code to jump into the post's <div> block (because the closing </div> tag got eaten).
